I’m new to the container world. Does it have any security benefits when I run my applications as a non-root user in a docker container? And how about Podman? There I’ll run the container as an unprivileged user anyway. Would changing the user in the container achieve anything?
It means that if someone breaks out of your container, they can only do things that user can do.
Can that user access your private documents (are these documents in a container that also runs under that user)?
Can that user sudo?
Can that user access SSH keys and jump to other computers?
Generally speaking, the answer to all of these should be “no”, meaning that each group of containers (or risk levels etc) get their own account.
I have seen this post and decided to respond via a separate blog post. https://loudwhisper.me/blog/containers-isolation/
The short answer is that yes, they do. And yes lowering the privileges of the user helps in avoiding container escapes, which basically makes the other advantages for containers valid. You can, however, achieve the same using (relatively obscure, imho) systemd settings, running with flatpak etc. Namespaces + Cgroups + Seccomp + Capabilities = better security. Containers make it easy to use all of the above.
Container are not a security concept. Hence, running things inside of a container does not provide any security benefits as opposed to outside of the container.
In actual fact, if you take the time to configure you services with proper systemd security features, you get more secure environments than with running generic containers with “just” unprivileged users.
